DoD plans expansion of government’s first-ever ‘bug bounty’

The Defense Department said Friday that it’s just finished closing all 138 verified security vulnerabilities uncovered by white hat hackers during its first-ever “bug bounty,” and pronounced the program successful enough to warrant a significant expansion.

In the first “Hack the Pentagon” challenge, the department asked anyone with expertise in IT security to find security flaws on five of its largest public-facing websites, including the Defense.gov homepage. The first vulnerability report arrived seven minutes after the contest started, and 1,410 pro and amateur hackers from 44 states wound up making 1,189 reports of security problems during the three-week pilot in late April and early May (though many of those reports were duplicates of the same vulnerabilities).

DoD spent $150,000 on the pilot version of Hack the Pentagon, with about half the money going to administrative costs, including a contract with HackerOne, the private firm that helped run the challenge and the other half as bounties to the hackers who discovered the cybersecurity holes.

“That’s not a small sum, but if we’d gone through the process of hiring an outside firm to do a security audit and vulnerability assessment — what we usually do — it would have cost us more than $1 million,” Defense secretary Ash Carter told reporters. “Also, by allowing outside researchers to find vulnerabilities on several sites and subdomains all at once, we freed up our own cyber specialists to spend more time fixing them.”

Advertisement

David Dworken and Craig Arendt, two of the white hat hackers who participated in the project, said most of the issues they found were fairly run-of-the-mill bugs that are common on web servers around the world, including insecure databases and cross-site-scripting holes in which an attacker can do damage simply by pasting malicious code into a form on a vulnerable website.

“That allowed me to create a link that I could then send to someone else and it would display whatever content I wanted as ‘Defense.gov’,” Dworken, 18, said. “That’s dangerous as a phishing risk, because if there are cookies or accounts used by the people who maintain Defense.gov, I could also embed malicious javascript that would let me steal the account people are logged into.”

Defense officials said they were sufficiently encouraged by the pilot that they now want to extend the concept of “crowdsourced” cybersecurity beyond DoD’s top-level public web pages.

For starters, Carter said the department will create a single contract vehicle so that the departments of the Army, Navy and Air Force can quickly launch bug bounties to test the security of their own websites, and, said he’s directing them to use that approach wherever possible.

DoD also plans to create a single point of contact so that anyone who discovers a vulnerability in a DoD IT system can disclose it to the department discreetly and “without fear of prosecution.”

Chris Lynch, the director of the Defense Digital Service, later clarified that DoD is not in a position to offer blanket judicial immunity to people who may have violated computer fraud laws at some point in their hacking careers. Rather, DoD is promising to not refer people for prosecution simply because they discovered a bug.

“We want to have a way for people to let us know about our vulnerabilities, but that’s not an open invitation to go at every DoD system,” Lynch said. “The analogy is that if you’re walking around the perimeter of Pentagon and you see a hole in the gate, we’re more interested in knowing that there’s a hole in the gate than how you found the hole.”

The Pentagon also plans to issue new acquisition guidance meant to “incentivize” contractors to subject their code to outside review.

“In some circumstances, we will encourage contractors to make their technologies available for independent security reviews such as bug bounties before they deliver them to us,” Carter said. “This will help them make their code more secure from the start and before it’s installed on our systems”

Precisely how that that would work is still unclear. Even though the systems that host DoD’s public web pages proved a useful proof-of-concept — paying bounties ranging from $100 to $15,000 to the white hat hackers who found bugs — no one’s quite sure as of yet how to extend the crowdsourced security model to the tens of thousands of sensitive DoD and contractor-operated systems that are intentionally hidden from the public internet and that the “crowd” can’t see or test.

“We’re not there yet, but what we want to figure out is how to use this model at almost any level of security classification or any type of activity,” Lynch said. “We’re starting at the surface with the recognition that this is a really valuable tool. Not all things require clearances, and you could still do a crowdsourced model with people who have recently left the government or contract employees who still hold security clearances. There are a lot of things we can apply this model to, and we want to figure out how to apply it to all of them.”